At the time of publication of this note, it seems increasingly likely that the UK will not be granted an adequacy decision by the end of the transition period (31st December 2020). In this note, we look at how data will flow between the UK and Europe from 1st January 2021 and how the (EU) 2016/679 GDPR will apply to the UK when processing EU personal data in the UK.
GDPR, DPA 2018 and Brexit: the background
The General Data Protection Regulation ((EU) 2016/679) (GDPR) became directly applicable in all EU member states from 25 May 2018. The Data Protection Act 2018 (DPA) was introduced at the same time, with the intention of ensuring that UK and EU regimes were aligned post-Brexit and to:
- Supplement the GDPR requirements and standards.
- Set out UK-specific exemptions.
- Cover areas not dealt with by the GDPR.
From the end of the transition period, the UK GDPR will be the retained EU law version of the GDPR as amended by the DP Brexit Regulations. However, it will not necessarily automatically incorporate any changes made to the EU GDPR going forward (which would need to be specifically incorporated by the UK).
The DPA 2018 uses the term EU GDPR to refer to the General Data Protection Regulation ((EU) 2016/679) as it continues to apply in the EU.
Data processed or obtained before the end of the transition period
The EU GDPR will continue to apply to any personal data obtained or processed in the UK about EU data subjects before the end of the transition period, unless there is an adequacy decision for the UK (when it would then become subject to the UK GDPR and DPA 2018). Personal data about UK data subjects processed in the UK before the end of the transition period falls under the UK GDPR and DPA 2018 from the end of the transition period.
UK as a third country: transferring EU data to the UK
At the end of the transition period, the UK will become a third country under the EU GDPR. This means that EU controllers and processors will need to ensure that a mechanism is in place to protect the transfer of personal data to the UK.
Unless the EU has approved an adequacy finding for the UK by then, the most likely to be used mechanism is the Standard Contractual Clauses (SCCs). EU data exporters will also need to take into account appropriate safeguards in the third country for the personal data transferred out of the EU. EU controllers will need to consider their data flows and where new or updated agreements will be required.
The EU has said that the Commission will use its best endeavours to conclude the assessment of the UK regime by the end of 2020 with a view to possibly adopting an adequacy decision if the UK meets the applicable conditions. At the time of writing, the Commission is currently conducting this assessment and has held several technical meetings with the UK to gather information to inform the process. However, organisations should be considering alternatives to ensure the compliance of any personal data transfers to the UK if no adequacy decision is reached by the end of 2020 as there are some potential obstacles to a decision, as well as the possibility of delays to the negotiations.
Askia Assurances and safeguards
Should an adequacy decision not be reached by the end of the year, here are some assurances and the approach that will enable the Askia Group to continue transferring personal data between the UK and Europe
- The Askia Group of companies has data protection and information security procedures and policies in place to ensure the security of information and personal data.
What other data security assurances can Askia provide?
Askia can assure EU customers that their data will be secure with us because:
- In general – Askia ensures that personal data is stored securely using modern software that is kept-up-to-date. Access to personal data is limited to personnel who need access, trained in data protection and information security and appropriate security is in place to avoid unauthorised sharing of information. When personal data is deleted this is done securely, such that the data is irrecoverable. Appropriate back-up and disaster recovery solutions are also in place.
- Certifications – Our secure data centre is certified to the international standard for Information Security, ISO 27001. Askia as a company is currently not ISO27001 certified, however this framework is used as best practice for our software development practices, especially around privacy and security by design.
- Access management – Remote access – Access to the data center is strictly restricted to Askia IT and Support staff, and is made via VPN (Cisco Anyconnect).
- User permissions – Role-based permissions are enforced via Active Directory.
- Redundancy / Backups – Firewalls, power supply, switches are fully load balanced.
- Change Management – Process:
- Askia implements IT evolutions in a comparable way to our product development
- Askia produces a Kanban board that outlines desired changes for a fixed period of time (4 months). When the period starts, we notify affected users on the appropriate internal communication channels (MS Teams for internal, email for external). Each change is logged in a ticket and its progression inside the Kanban board notifies users and stakeholders.
- When applicable, changes are rolled out to a smaller subset of targets for testing.
- After validation from the change requester as well as the change manager, the change is rolled out and a final notification is sent out to users and stakeholders and assign IT staff to provide support for a given time during user adoption if necessary.
- Vulnerability Management / Penetration testing
- We do collaborate on external pen testing on customer environments, and we have planned our own environments to be pen-tested in 2021
- We do have boxes that are pen-tested by third-parties, hired by our customers. We make sure to apply recommended enhancements whenever suggested.
- We plan on pen-testing an isolated system in 2021 with a third-party provider of our choice
- We review logs as part of the support service we provide.
- Windows maintenance and protection – Askia staff ensures that all critical Windows updates are applied on a regular basis and that an anti-malware solution is running on every asset. Virtual machines are protected with an access scan whenever new data is up or downloaded. Scans are performed at least once a year and mostly on clients request.
- Patching – We aim for OS Patches to be installed once a week with auto restart outside business hours. The timing varies as software is patched with client notice and planning.
Askia is signed up to the rigours of the UK national regulator, the Market Research Society (MRS). The MRS are already developing a GDPR Research Code, together with our European counterparts and European national DPAs. MRS will sign up to the GDPR Research Code as soon as it becomes operational. Askia also worked closely with ESOMAR to form its original GDPR policies and guidance.
Transfers from the UK to the EU
The amended UK data protection legislation provides that transfers from the UK to the EU can continue without additional protections being put in place, as EU countries will be deemed by the UK to have an adequate level of data protection.
Transfers from the UK to non-EU countries and transfers from non-EU countries to the UK
A new section in the DPA 2018 provides for regulations to allow for transfers to non-EU countries and existing adequacy decisions remain in force. Provision is also made for the existing SCCs to continue to be valid for transfers from the UK to non-EU countries and the Information Commissioner will have the power to issue new clauses.
Askia’s Preparation in the event of an adequacy decision not being reached by 31st December 2020:
1. Existing Client Contracts that involve processing of EU personal data that extend past the transition period
We will work with clients to ensure contracts are updated accordingly so that the data flow can continue. Where relevant, gain written consent to:
- Process EU personal data in the UK
- Use UK subcontractors to process EU personal data
2. Template Data Protection Documents
We will update our standard terms and conditions (incl. data processing agreements and privacy notices) to reflect the changes.
3. EU Representative
We will appoint a representative in the EU to meet EU GDPR requirements.
4. Policies and procedures
We will update:
- The relevant company policies and procedures and to ensure that the relevant changes are reflected
- Organise additional staff training where required
Where to find additional Information and contact details:
Market Research Society (MRS): https://www.mrs.org.uk/
Information Commissioner’s Office (ICO): https://ico.org.uk/for-organisations/data-protection-at-theend-of-the-transition-period/
UK Government: https://www.gov.uk/transition
To contact our compliance team: firstname.lastname@example.org